android_kernel_google_msm/net/xfrm
Mathias Krause 53bf146992 xfrm_user: ensure user supplied esn replay window is valid
[ Upstream commit ecd7918745 ]

The current code fails to ensure that the netlink message actually
contains as many bytes as the header indicates. If a user creates a new
state or updates an existing one but does not supply the bytes for the
whole ESN replay window, the kernel copies random heap bytes into the
replay bitmap, the ones happen to follow the XFRMA_REPLAY_ESN_VAL
netlink attribute. This leads to following issues:

1. The replay window has random bits set confusing the replay handling
   code later on.

2. A malicious user could use this flaw to leak up to ~3.5kB of heap
   memory when she has access to the XFRM netlink interface (requires
   CAP_NET_ADMIN).

Known users of the ESN replay window are strongSwan and Steffen's
iproute2 patch (<http://patchwork.ozlabs.org/patch/85962/>). The latter
uses the interface with a bitmap supplied while the former does not.
strongSwan is therefore prone to run into issue 1.

To fix both issues without breaking existing userland allow using the
XFRMA_REPLAY_ESN_VAL netlink attribute with either an empty bitmap or a
fully specified one. For the former case we initialize the in-kernel
bitmap with zero, for the latter we copy the user supplied bitmap. For
state updates the full bitmap must be supplied.

To prevent overflows in the bitmap length calculation the maximum size
of bmp_len is limited to 128 by this patch -- resulting in a maximum
replay window of 4096 packets. This should be sufficient for all real
life scenarios (RFC 4303 recommends a default replay window size of 64).

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Martin Willi <martin@revosec.ch>
Cc: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2012-10-13 05:38:41 +09:00
..
Kconfig ipsec: ipcomp - Merge IPComp implementations 2008-07-25 02:54:40 -07:00
Makefile xfrm: Move IPsec replay detection functions to a separate file 2011-03-13 20:22:30 -07:00
xfrm_algo.c xfrm: Fix key lengths for rfc3686(ctr(aes)) 2011-07-28 18:10:48 -07:00
xfrm_hash.c net: allow GFP_HIGHMEM in __vmalloc() 2010-11-21 10:04:04 -08:00
xfrm_hash.h xfrm: Const'ify address args to hash helpers. 2011-02-23 23:07:42 -08:00
xfrm_input.c xfrm: Workaround incompatibility of ESN and async crypto 2012-10-13 05:38:40 +09:00
xfrm_ipcomp.c net: add skb frag size accessors 2011-10-19 03:10:46 -04:00
xfrm_output.c xfrm: Remove unused xfrm_state from xfrm_state_check_space 2012-03-22 19:29:58 -04:00
xfrm_policy.c xfrm: fix a read lock imbalance in make_blackhole 2012-10-13 05:38:40 +09:00
xfrm_proc.c net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules 2011-10-31 19:30:30 -04:00
xfrm_replay.c xfrm: Workaround incompatibility of ESN and async crypto 2012-10-13 05:38:40 +09:00
xfrm_state.c net: remove ipv6_addr_copy() 2011-11-22 16:43:32 -05:00
xfrm_sysctl.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
xfrm_user.c xfrm_user: ensure user supplied esn replay window is valid 2012-10-13 05:38:41 +09:00